summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3797.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3797.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3797.txt')
-rw-r--r--doc/rfc/rfc3797.txt1067
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc3797.txt b/doc/rfc/rfc3797.txt
new file mode 100644
index 0000000..8d05e35
--- /dev/null
+++ b/doc/rfc/rfc3797.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Network Working Group D. Eastlake 3rd
+Request for Comments: 3797 Motorola Laboratories
+Obsoletes: 2777 June 2004
+Category: Informational
+
+
+ Publicly Verifiable Nominations Committee (NomCom) Random Selection
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+Abstract
+
+ This document describes a method for making random selections in such
+ a way that the unbiased nature of the choice is publicly verifiable.
+ As an example, the selection of the voting members of the IETF
+ Nominations Committee (NomCom) from the pool of eligible volunteers
+ is used. Similar techniques would be applicable to other cases.
+
+Table of Contents
+
+ 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. General Flow of a Publicly Verifiable Process . . . . . . . . . 2
+ 2.1. Determination of the Pool . . . . . . . . . . . . . . . . 2
+ 2.2. Publication of the Algorithm. . . . . . . . . . . . . . . 3
+ 2.3. Publication of Selection. . . . . . . . . . . . . . . . . 3
+ 3. Randomness. . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3.1. Sources of Randomness . . . . . . . . . . . . . . . . . . 3
+ 3.2. Skew. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3. Entropy Needed. . . . . . . . . . . . . . . . . . . . . . 4
+ 4. A Suggested Precise Algorithm . . . . . . . . . . . . . . . . . 5
+ 5. Handling Real World Problems. . . . . . . . . . . . . . . . . . 7
+ 5.1. Uncertainty as to the Pool. . . . . . . . . . . . . . . . 7
+ 5.2. Randomness Ambiguities. . . . . . . . . . . . . . . . . . 7
+ 6. Fully Worked Example. . . . . . . . . . . . . . . . . . . . . . 8
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 9
+ 8. Reference Code. . . . . . . . . . . . . . . . . . . . . . . . . 10
+ Appendix A: History of NomCom Member Selection . . . . . . . . . . 16
+ Appendix B: Changes from RFC 2777. . . . . . . . . . . . . . . . . 16
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 17
+
+
+
+
+Eastlake 3rd Informational [Page 1]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
+ Normative References. . . . . . . . . . . . . . . . . . . . . . 17
+ Informative References. . . . . . . . . . . . . . . . . . . . . 17
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 19
+
+1. Introduction
+
+ Under the IETF rules, each year ten people are randomly selected from
+ among eligible volunteers to be the voting members of the IETF
+ nominations committee (NomCom). The NomCom nominates members of the
+ Internet Engineering Steering Group (IESG) and the Internet
+ Architecture Board (IAB) as described in [RFC 3777]. The number of
+ eligible volunteers in recent years has been around 100.
+
+ It is highly desirable that the random selection of the voting NomCom
+ be done in an unimpeachable fashion so that no reasonable charges of
+ bias or favoritism can be brought. This is as much for the
+ protection of the selection administrator (currently, the appointed
+ non-voting NomCom chair) from suspicion of bias as it is for the
+ protection of the IETF.
+
+ A method such that public information will enable any person to
+ verify the randomness of the selection meets this criterion. This
+ document gives an example of such a method.
+
+ The method, in the form it appears in RFC 2777, was also used by IANA
+ in February 2003 to determine the ACE prefix for Internationalized
+ Domain Names [RFC 3490] so as to avoid claim jumping.
+
+2. General Flow of a Publicly Verifiable Process
+
+ A selection of NomCom members publicly verifiable as unbiased or
+ similar selection could follow the three steps given below.
+
+2.1. Determination of the Pool
+
+ First, determine the pool from which the selection is to be made as
+ provided in [RFC 3777] or its successor.
+
+ Volunteers are solicited by the selection administrator. Their names
+ are then passed through the IETF Secretariat to check eligibility.
+ (Current eligibility criteria relate to IETF meeting attendance,
+ records of which are maintained by the Secretariat.) The full list
+ of eligible volunteers is made public early enough that a reasonable
+ time can be given to resolve any disputes as to who should be in the
+ pool.
+
+
+
+
+Eastlake 3rd Informational [Page 2]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+2.2. Publication of the Algorithm
+
+ The exact algorithm to be used, including the public future sources
+ of randomness, is made public. For example, the members of the final
+ list of eligible volunteers are ordered by publicly numbering them,
+ some public future sources of randomness such as government run
+ lotteries are specified, and an exact algorithm is specified whereby
+ eligible volunteers are selected based on a strong hash function
+ [RFC 1750] of these future sources of randomness.
+
+2.3. Publication of Selection
+
+ When the pre-specified sources of randomness produce their output,
+ those values plus a summary of the execution of the algorithm for
+ selection should be announced so that anyone can verify that the
+ correct randomness source values were used and the algorithm properly
+ executed. The algorithm can be run to select, in an ordered fashion,
+ a larger number than are actually necessary so that if any of those
+ selected need to be passed over or replaced for any reason, an
+ ordered set of additional alternate selections will be available. A
+ cut off time for any complaint that the algorithm was run with the
+ wrong inputs or not faithfully executed must be specified to finalize
+ the output and provide a stable selection.
+
+3. Randomness
+
+ The crux of the unbiased nature of the selection is that it is based
+ in an exact, predetermined fashion on random information which will
+ be revealed in the future and thus can not be known to the person
+ specifying the algorithm. That random information will be used to
+ control the selection. The random information must be such that it
+ will be publicly and unambiguously revealed in a timely fashion.
+
+ The random sources must not include anything that any reasonable
+ person would believe to be under the control or influence of the IETF
+ or its components, such as IETF meeting attendance statistics,
+ numbers of documents issued, or the like.
+
+3.1. Sources of Randomness
+
+ Examples of good information to use are winning lottery numbers for
+ specified runnings of specified public lotteries. Particularly for
+ government run lotteries, great care is taken to see that they occur
+ on time and produce random quantities. Even in the unlikely case one
+ were to have been rigged, it would almost certainly be in connection
+ with winning money in the lottery, not in connection with IETF use.
+
+
+
+
+
+Eastlake 3rd Informational [Page 3]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ Other possibilities are such things as the daily balance in the US
+ Treasury on a specified day, the volume of trading on the New York
+ Stock exchange on a specified day, etc. (However, the reference code
+ given below will not handle integers that are too large.) Sporting
+ events can also be used. (Experience has indicated that stock prices
+ and/or volumes are a poor source of unambiguous data due trading
+ suspensions, company mergers, delistings, splits, multiple markets,
+ etc.) In all cases, great care must be taken to specify exactly what
+ quantities are being presumed random and what will be done if their
+ issuance is cancelled, delayed, or advanced.
+
+ It is important that the last source of randomness, chronologically,
+ produce a substantial amount of the entropy needed. If most of the
+ randomness has come from the earlier of the specified sources, and
+ someone has even limited influence on the final source, they might do
+ an exhaustive analysis and exert such influence so as to bias the
+ selection in the direction they wanted. Thus it is best for the last
+ source to be an especially strong and unbiased source of a large
+ amount of randomness such as a government run lottery.
+
+ It is best not to use too many different sources. Every additional
+ source increases the probability that one or more sources might be
+ delayed, cancelled, or just plain screwed up somehow, calling into
+ play contingency provisions or, worst of all, creating a situation
+ that was not anticipated. This would either require arbitrary
+ judgment by the selection administrator, defeating the randomness of
+ the selection, or a re-run with a new set of sources, causing much
+ delay. Three or four would be a good number of sources. Ten is too
+ many.
+
+3.2. Skew
+
+ Some of the sources of randomness produce data that is not uniformly
+ distributed. This is certainly true of volumes, prices, and horse
+ race results, for example. However, use of a strong mixing function
+ [RFC 1750] will extract the available entropy and produce a hash
+ value whose bits, remainder modulo a small divisor, etc., deviate
+ from a uniform distribution only by an insignificant amount.
+
+3.3. Entropy Needed
+
+ What we are doing is selecting N items without replacement from a
+ population of P items. The number of different ways to do this is as
+ follows, where "!" represents the factorial function:
+
+ P!
+ -------------
+ N! * (P - N)!
+
+
+
+Eastlake 3rd Informational [Page 4]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ To do this in a completely random fashion requires as many random
+ bits as the logarithm base 2 of that quantity. Some sample
+ calculated approximate number of random bits for the completely
+ random selection of 10 NomCom members from various pool sizes is
+ given below:
+
+ Random Selection of Ten Items From Pool
+
+ Pool size 20 25 30 35 40 50 60 75 100 120
+ Bits needed 18 22 25 28 30 34 37 40 44 47
+
+ Using an inadequate number of bits means that not all of the possible
+ sets of ten selected items would be available. For a substantially
+ inadequate amount of entropy, there could be a significant
+ correlation between the selection of two different members of the
+ pool, for example. However, as a practical matter, for pool sizes
+ likely to be encountered in IETF NomCom membership selection, 40 bits
+ of entropy should always be adequate. Even if there is a large pool
+ and more bits are needed for perfect randomness, 40 bits of entropy
+ will assure only an insignificant deviation from completely random
+ selection for the difference in probability of selection of different
+ pool members, the correlation between the selection of any pair of
+ pool members, etc.
+
+ An MD5 [RFC 1321] hash has 128 bits and therefore can produce no more
+ than that number of bits of entropy. However, this is more than
+ three times what is likely to ever be needed for IETF NomCom
+ membership selection. A even stronger hash, such as SHA-1
+ [RFC 3174], can be used if desired.
+
+4. A Suggested Precise Algorithm
+
+ It is important that a precise algorithm be given for mixing the
+ random sources specified and making the selection based thereon.
+ Sources suggested above produce either a single positive number
+ (i.e., NY Stock Exchange volume in thousands of shares) or a small
+ set of positive numbers (many lotteries provide 6 numbers in the
+ range of 1 through 40 or the like, a sporting event could produce the
+ scores of two teams, etc.). A suggested precise algorithm is as
+ follows:
+
+ 1. For each source producing multiple numeric values, represent
+ each as a decimal number terminated by a period (or with a
+ period separating the whole from the fractional part), without
+ leading zeroes (except for a single leading zero if the integer
+ part is zero), and without trailing zeroes after the period.
+
+
+
+
+
+Eastlake 3rd Informational [Page 5]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ 2. Order the values from each source from smallest to the largest
+ and concatenate them and suffix the result with a "/". For
+ each source producing a single number, simply represent it as
+ above with a suffix "/". (This sorting is necessary because
+ the same lottery results, for example, are sometimes reported
+ in the order numbers were drawn and sometimes in numeric order
+ and such things as the scores of two sports teams that play a
+ game has no inherent order.)
+
+ 3. At this point you have a string for each source, say s1/, s2/,
+ ... Concatenate these strings in a pre-specified order, the
+ order in which the sources were listed if not otherwise
+ specified, and represent each character as its ASCII code
+ [ASCII] producing "s1/s2/.../".
+
+ You then produce a sequence of random values derived from a strong
+ mixing of these sources by calculating the MD5 hash [RFC 1321] of
+ this string prefixed and suffixed with an all zeros two byte sequence
+ for the first value, the string prefixed and suffixed by 0x0001 for
+ the second value, etc., treating the two bytes as a big endian
+ counter. Treat each of these derived "random" MD5 output values as a
+ positive 128-bit multiprecision big endian integer.
+
+ Then totally order the pool of listed volunteers as follows: If there
+ are P volunteers, select the first by dividing the first derived
+ random value by P and using the remainder plus one as the position of
+ the selectee in the published list. Select the second by dividing
+ the second derived random value by P-1 and using the remainder plus
+ one as the position in the list with the first selected person
+ eliminated. Etc.
+
+ It is STRONGLY recommended that alphanumeric random sources be
+ avoided due to the much greater difficulty in canonicalizing them in
+ an independently repeatable fashion; however, if you choose to ignore
+ this advice and use an ASCII or similar Roman alphabet source or
+ sources, all white space, punctuation, accents, and special
+ characters should be removed and all letters set to upper case. This
+ will leave only an unbroken sequence of letters A-Z and digits 0-9
+ which can be treated as a canonicalized number above and suffixed
+ with a "./". If you choose to not just ignore but flagrantly flout
+ this advice and try to use even more complex and harder to
+ canonicalize internationalized text, such as UNICODE, you are on your
+ own.
+
+
+
+
+
+
+
+
+Eastlake 3rd Informational [Page 6]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+5. Handling Real World Problems
+
+ In the real world, problems can arise in following the steps and flow
+ outlined in Sections 2 through 4 above. Some problems that have
+ actually arisen are described below with recommendations for handling
+ them.
+
+5.1. Uncertainty as to the Pool
+
+ Every reasonable effort should be made to see that the published pool
+ from which selection is made is of certain and eligible persons.
+ However, especially with compressed schedules or perhaps someone
+ whose claim that they volunteered and are eligible has not been
+ resolved by the deadline, or a determination that someone is not
+ eligible which occurs after the publication of the pool, it may be
+ that there are still uncertainties.
+
+ The best way to handle this is to maintain the announced schedule,
+ INCLUDE in the published pool all those whose eligibility is
+ uncertain and to keep the published pool list numbering IMMUTABLE
+ after its publication. If someone in the pool is later selected by
+ the algorithm and random input but it has been determined they are
+ ineligible, they can be skipped and the algorithm run further to make
+ an additional selection. Thus the uncertainty only effects one
+ selection and in general no more than a maximum of U selections where
+ there are U uncertain pool members.
+
+ Other courses of action are far worse. Actual insertion or deletion
+ of entries in the pool after its publication changes the length of
+ the list and totally scrambles who is selected, possibly changing
+ every selection. Insertion into the pool raises questions of where
+ to insert: at the beginning, end, alphabetic order, ... Any such
+ choices by the selection administrator after the random numbers are
+ known destroys the public verifiability of fair choice. Even if done
+ before the random numbers are known, such dinking with the list after
+ its publication just smells bad. There should be clear fixed public
+ deadlines and someone who challenges their absence from the pool
+ after the published deadline should have their challenge
+ automatically denied for tardiness.
+
+5.2. Randomness Ambiguities
+
+ The best good faith efforts have been made to specify precise and
+ unambiguous sources of randomness. These sources have been made
+ public in advance and there has not been objection to them. However,
+ it has happened that when the time comes to actually get and use this
+ randomness, the real world has thrown a curve ball and it isn't quite
+ clear what data to use. Problems have particularly arisen in
+
+
+
+Eastlake 3rd Informational [Page 7]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ connection with stock prices, volumes, and financial exchange rates
+ or indices. If volumes that were published in thousands are
+ published in hundreds, you have a rounding problem. Prices that were
+ quoted in fractions or decimals can change to the other. If you take
+ care of every contingency that has come up in the past, you can be
+ hit with a new one. When this sort of thing happens, it is generally
+ too late to announce new sources, an action which could raise
+ suspicions of its own. About the only course of action is to make a
+ reasonable choice within the ambiguity and depend on confidence in
+ the good faith of the selection administrator. With care, such cases
+ should be extremely rare.
+
+ Based on these experiences, it is again recommended that public
+ lottery numbers or the like be used as the random inputs and stock
+ prices and volumes avoided.
+
+6. Fully Worked Example
+
+ Assume the following ordered list of 25 eligible volunteers is
+ published in advance of selection:
+
+ 1. John 11. Pollyanna 21. Pride
+ 2. Mary 12. Pendragon 22. Sloth
+ 3. Bashful 13. Pandora 23. Envy
+ 4. Dopey 14. Faith 24. Anger
+ 5. Sleepy 15. Hope 25. Kasczynski
+ 6. Grouchy 16. Charity
+ 7. Doc 17. Lee
+ 8. Sneazy 18. Longsuffering
+ 9. Handsome 19. Chastity
+ 10. Cassandra 20. Smith
+
+ Assume the following (fake example) ordered list of randomness
+ sources:
+ 1. The Kingdom of Alphaland State Lottery daily number for 1 November
+ 2004 treated as a single four digit integer.
+ 2. Numbers of the winning horses at Hialeia for all races for the
+ first day on or after 13 October 2004 on which at least two races
+ are run.
+ 3. The People's Democratic Republic of Betastani State Lottery six
+ winning numbers (ignoring the seventh "extra" number) for 1
+ November 2004.
+
+ Hypothetical randomness publicly produced:
+ Source 1: 9319
+ Source 2: 2, 5, 12, 8, 10
+ Source 3: 9, 18, 26, 34, 41, 45
+
+
+
+
+Eastlake 3rd Informational [Page 8]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ Resulting key string:
+
+ 9319./2.5.8.10.12./9.18.26.34.41.45./
+
+ The table below gives the hex of the MD5 of the above key string
+ bracketed with a two byte string that is successively 0x0000, 0x0001,
+ 0x0002, through 0x0010 (16 decimal). The divisor for the number size
+ of the remaining pool at each stage is given and the index of the
+ selectee as per the original number of those in the pool.
+
+ index hex value of MD5 div selected
+ 1 990DD0A5692A029A98B5E01AA28F3459 25 -> 17 <-
+ 2 3691E55CB63FCC37914430B2F70B5EC6 24 -> 7 <-
+ 3 FE814EDF564C190AC1D25753979990FA 23 -> 2 <-
+ 4 1863CCACEB568C31D7DDBDF1D4E91387 22 -> 16 <-
+ 5 F4AB33DF4889F0AF29C513905BE1D758 21 -> 25 <-
+ 6 13EAEB529F61ACFB9A29D0BA3A60DE4A 20 -> 23 <-
+ 7 992DB77C382CA2BDB9727001F3CDCCD9 19 -> 8 <-
+ 8 63AB4258ECA922976811C7F55C383CE7 18 -> 24 <-
+ 9 DFBC5AC97CED01B3A6E348E3CC63F40D 17 -> 19 <-
+ 10 31CB111C4A4EBE9287CEAE16FE51B909 16 -> 13 <-
+ 11 07FA46C122F164C215BBC72793B189A3 15 -> 22 <-
+ 12 AC52F8D75CCBE2E61AFEB3387637D501 14 -> 5 <-
+ 13 53306F73E14FC0B2FBF434218D25948E 13 -> 18 <-
+ 14 B5D1403501A81F9A47318BE7893B347C 12 -> 9 <-
+ 15 85B10B356AA06663EF1B1B407765100A 11 -> 1 <-
+ 16 3269E6CE559ABD57E2BA6AAB495EB9BD 10 -> 4 <-
+
+ Resulting first ten selected, in order selected:
+
+ 1. Lee (17) 6. Envy (23)
+ 2. Doc (7) 7. Sneazy (8)
+ 3. Mary (2) 8. Anger (24)
+ 4. Charity (16) 9. Chastity (19)
+ 5. Kasczynski (25) 10. Pandora (13)
+
+ Should one of the above turn out to be ineligible or decline to
+ serve, the next would be Sloth, number 22.
+
+7. Security Considerations
+
+ Careful choice of should be made of randomness inputs so that there
+ is no reasonable suspicion that they are under the control of the
+ administrator. Guidelines given above to use a small number of
+ inputs with a substantial amount of entropy from the last should be
+ followed. And equal care needs to be given that the algorithm
+ selected is faithfully executed with the designated inputs values.
+
+
+
+
+Eastlake 3rd Informational [Page 9]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ Publication of the results and a week or so window for the community
+ of interest to duplicate the calculations should give a reasonable
+ assurance against implementation tampering.
+
+8. Reference Code
+
+ This code makes use of the MD5 reference code from [RFC 1321] ("RSA
+ Data Security, Inc. MD5 Message-Digest Algorithm"). The portion of
+ the code dealing with multiple floating point numbers was written by
+ Matt Crawford. The original code in RFC 2777 could only handle pools
+ of up to 255 members and was extended to 2**16-1 by Erik Nordmark.
+ This code has been extracted from this document, compiled, and
+ tested. While no flaws have been found, it is possible that when
+ used with some compiler on some system some flaw will manifest
+ itself.
+
+ /****************************************************************
+ *
+ * Reference code for
+ * "Publicly Verifiable Random Selection"
+ * Donald E. Eastlake 3rd
+ * February 2004
+ *
+ ****************************************************************/
+ #include <limits.h>
+ #include <math.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ /* From RFC 1321 */
+ #include "global.h"
+ #include "MD5.h"
+
+ /* local prototypes */
+ int longremainder ( unsigned short divisor,
+ unsigned char dividend[16] );
+ long int getinteger ( char *string );
+ double NPentropy ( int N, int P );
+
+
+ /* limited to up to 16 inputs of up to sixteen integers each */
+ /* pool limit of 2**8-1 extended to 2**16-1 by Erik Nordmark */
+ /****************************************************************/
+
+ main ()
+ {
+ int i, j, k, k2, err, keysize, selection, usel;
+
+
+
+Eastlake 3rd Informational [Page 10]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ unsigned short remaining, *selected;
+ long int pool, temp, array[16];
+ MD5_CTX ctx;
+ char buffer[257], key [800], sarray[16][256];
+ unsigned char uc16[16], unch1, unch2;
+
+ pool = getinteger ( "Type size of pool:\n" );
+ if ( pool > 65535 )
+
+ {
+ printf ( "Pool too big.\n" );
+ exit ( 1 );
+ }
+ selected = (unsigned short *) malloc ( (size_t)pool );
+ if ( !selected )
+ {
+ printf ( "Out of memory.\n" );
+ exit ( 1 );
+ }
+ selection = getinteger ( "Type number of items to be selected:\n" );
+ if ( selection > pool )
+ {
+ printf ( "Pool too small.\n" );
+ exit ( 1 );
+ }
+ if ( selection == pool )
+ printf ( "All of the pool is selected.\n" );
+ else
+ {
+ err = printf ( "Approximately %.1f bits of entropy needed.\n",
+ NPentropy ( selection, pool ) + 0.1 );
+ if ( err <= 0 ) exit ( 1 );
+ }
+ for ( i = 0, keysize = 0; i < 16; ++i )
+ {
+ if ( keysize > 500 )
+ {
+ printf ( "Too much input.\n" );
+ exit ( 1 );
+ }
+ /* get the "random" inputs. echo back to user so the user may
+ be able to tell if truncation or other glitches occur. */
+ err = printf (
+ "\nType #%d randomness or 'end' followed by new line.\n"
+ "Up to 16 integers or the word 'float' followed by up\n"
+ "to 16 x.y format reals.\n", i+1 );
+ if ( err <= 0 ) exit ( 1 );
+ gets ( buffer );
+
+
+
+Eastlake 3rd Informational [Page 11]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ j = sscanf ( buffer,
+ "%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld",
+ &array[0], &array[1], &array[2], &array[3],
+ &array[4], &array[5], &array[6], &array[7],
+ &array[8], &array[9], &array[10], &array[11],
+ &array[12], &array[13], &array[14], &array[15] );
+ if ( j == EOF )
+ exit ( j );
+ if ( !j )
+ if ( buffer[0] == 'e' )
+ break;
+
+ else
+ { /* floating point code by Matt Crawford */
+ j = sscanf ( buffer,
+ "float %ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
+ "%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
+ "%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
+ "%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]",
+ &array[0], sarray[0], &array[1], sarray[1],
+ &array[2], sarray[2], &array[3], sarray[3],
+ &array[4], sarray[4], &array[5], sarray[5],
+ &array[6], sarray[6], &array[7], sarray[7],
+ &array[8], sarray[8], &array[9], sarray[9],
+ &array[10], sarray[10], &array[11], sarray[11],
+ &array[12], sarray[12], &array[13], sarray[13],
+ &array[14], sarray[14], &array[15], sarray[15] );
+ if ( j == 0 || j & 1 )
+ printf ( "Bad format." );
+ else {
+ for ( k = 0, j /= 2; k < j; k++ )
+ {
+ /* strip trailing zeros */
+ for ( k2=strlen(sarray[k]); sarray[k][--k2]=='0';)
+ sarray[k][k2] = '\0';
+ err = printf ( "%ld.%s\n", array[k], sarray[k] );
+ if ( err <= 0 ) exit ( 1 );
+ keysize += sprintf ( &key[keysize], "%ld.%s",
+ array[k], sarray[k] );
+ }
+ keysize += sprintf ( &key[keysize], "/" );
+ }
+ }
+ else
+ { /* sort values, not a very efficient algorithm */
+ for ( k2 = 0; k2 < j - 1; ++k2 )
+ for ( k = 0; k < j - 1; ++k )
+ if ( array[k] > array[k+1] )
+
+
+
+Eastlake 3rd Informational [Page 12]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ {
+ temp = array[k];
+ array[k] = array[k+1];
+ array[k+1] = temp;
+ }
+ for ( k = 0; k < j; ++k )
+ { /* print for user check */
+ err = printf ( "%ld ", array[k] );
+ if ( err <= 0 ) exit ( 1 );
+ keysize += sprintf ( &key[keysize], "%ld.", array[k] );
+ }
+ keysize += sprintf ( &key[keysize], "/" );
+ }
+ } /* end for i */
+
+ /* have obtained all the input, now produce the output */
+ err = printf ( "Key is:\n %s\n", key );
+ if ( err <= 0 ) exit ( 1 );
+ for ( i = 0; i < pool; ++i )
+ selected [i] = (unsigned short)(i + 1);
+ printf ( "index hex value of MD5 div selected\n" );
+ for ( usel = 0, remaining = (unsigned short)pool;
+ usel < selection;
+ ++usel, --remaining )
+ {
+ unch1 = (unsigned char)usel;
+ unch2 = (unsigned char)(usel>>8);
+ /* prefix/suffix extended to 2 bytes by Donald Eastlake */
+ MD5Init ( &ctx );
+ MD5Update ( &ctx, &unch2, 1 );
+ MD5Update ( &ctx, &unch1, 1 );
+ MD5Update ( &ctx, (unsigned char *)key, keysize );
+ MD5Update ( &ctx, &unch2, 1 );
+ MD5Update ( &ctx, &unch1, 1 );
+ MD5Final ( uc16, &ctx );
+ k = longremainder ( remaining, uc16 );
+ /* printf ( "Remaining = %d, remainder = %d.\n", remaining, k ); */
+ for ( j = 0; j < pool; ++j )
+ if ( selected[j] )
+ if ( --k < 0 )
+ {
+ printf ( "%2d "
+ "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X "
+ "%2d -> %2d <-\n",
+ usel+1, uc16[0],uc16[1],uc16[2],uc16[3],uc16[4],uc16[5],uc16[6],
+ uc16[7],uc16[8],uc16[9],uc16[10],uc16[11],uc16[12],uc16[13],
+ uc16[14],uc16[15], remaining, selected[j] );
+ selected[j] = 0;
+
+
+
+Eastlake 3rd Informational [Page 13]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ break;
+ }
+ }
+ printf ( "\nDone, type any character to exit.\n" );
+ getchar ();
+ return 0;
+ }
+
+ /* prompt for a positive non-zero integer input */
+ /****************************************************************/
+ long int getinteger ( char *string )
+ {
+ long int i;
+ int j;
+ char tin[257];
+
+ while ( 1 )
+ {
+ printf ( string );
+ printf ( "(or 'exit' to exit) " );
+ gets ( tin );
+ j = sscanf ( tin, "%ld", &i );
+ if ( ( j == EOF )
+
+ || ( !j && ( ( tin[0] == 'e' ) || ( tin[0] == 'E' ) ) )
+ )
+ exit ( j );
+ if ( ( j == 1 ) &&
+ ( i > 0 ) )
+ return i;
+ } /* end while */
+ }
+
+ /* get remainder of dividing a 16 byte unsigned int
+ by a small positive number */
+ /****************************************************************/
+ int longremainder ( unsigned short divisor,
+ unsigned char dividend[16] )
+ {
+ int i;
+ long int kruft;
+
+ if ( !divisor )
+ return -1;
+ for ( i = 0, kruft = 0; i < 16; ++i )
+ {
+ kruft = ( kruft << 8 ) + dividend[i];
+ kruft %= divisor;
+
+
+
+Eastlake 3rd Informational [Page 14]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ }
+ return kruft;
+ } /* end longremainder */
+
+ /* calculate how many bits of entropy it takes to select N from P */
+ /****************************************************************/
+ /* P!
+ log ( ----------------- )
+ 2 N! * ( P - N )!
+ */
+
+ double NPentropy ( int N, int P )
+ {
+ int i;
+ double result = 0.0;
+
+ if ( ( N < 1 ) /* not selecting anything? */
+ || ( N >= P ) /* selecting all of pool or more? */
+ )
+ return 0.0; /* degenerate case */
+ for ( i = P; i > ( P - N ); --i )
+ result += log ( i );
+ for ( i = N; i > 1; --i )
+ result -= log ( i );
+ /* divide by [ log (base e) of 2 ] to convert to bits */
+ result /= 0.69315;
+
+ return result;
+ } /* end NPentropy */
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake 3rd Informational [Page 15]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+Appendix A: History of NomCom Member Selection
+
+ For reference purposes, here is a list of the IETF Nominations
+ Committee member selection techniques and chairs so far:
+
+ YEAR CHAIR SELECTION METHOD
+
+ 1993/1994 Jeff Case Clergy
+ 1994/1995 Fred Baker Clergy
+ 1995/1996 Guy Almes Clergy
+ 1996/1997 Geoff Huston Spouse
+ 1997/1998 Mike St.Johns Algorithm
+ 1998/1999 Donald Eastlake 3rd RFC 2777
+ 1999/2000 Avri Doria RFC 2777
+ 2000/2001 Bernard Aboba RFC 2777
+ 2001/2002 Theodore Ts'o RFC 2777
+ 2002/2003 Phil Roberts RFC 2777
+ 2003/2004 Rich Draves RFC 2777
+
+ Clergy = Names were written on pieces of paper, placed in a
+ receptacle, and a member of the clergy picked the NomCom members.
+
+ Spouse = Same as Clergy except chair's spouse made the selection.
+
+ Algorithm = Algorithmic selection based on similar concepts to those
+ documented in RFC 2777 and herein.
+
+ RFC 2777 = Algorithmic selection using the algorithm and reference
+ code provided in RFC 2777 (but not the fake example sources of
+ randomness).
+
+Appendix B: Changes from RFC 2777
+
+ This document differs from [RFC 2777], the previous version, in three
+ primary ways as follows:
+
+ (1) Section 5, on problems actually encountered with using these
+ recommendations for selecting an IETF NomCom and on how to handle
+ them, has been added.
+
+ (2) The selection algorithm code has been modified to handle pools of
+ up to 2**16-1 elements and the counter based prefix and suffix
+ concatenated with the key string before hashing has been extended
+ to two bytes.
+
+ (3) Mention has been added that the algorithm documented herein was
+ used by IANA to select the Internationalized Domain Name ACE
+ prefix and some minor wording changes made.
+
+
+
+Eastlake 3rd Informational [Page 16]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+ (4) References have been divided into Informative and Normative.
+
+ (5) The list in Appendix A has been brought up to date.
+
+Acknowledgements
+
+ Matt Crawford and Erik Nordmark made major contributions to this
+ document. Comments by Bernard Aboba, Theodore Ts'o, Jim Galvin,
+ Steve Bellovin, and others have been incorporated.
+
+References
+
+Normative References
+
+ [ASCII] "USA Standard Code for Information Interchange", X3.4,
+ American National Standards Institute: New York, 1968.
+
+ [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+ April 1992.
+
+ [RFC 1750] Eastlake, 3rd, D., Crocker, S. and J. Schiller,
+ "Randomness Recommendations for Security", RFC 1750,
+ December 1994.
+
+ [RFC 3174] Eastlake, 3rd, D. and P. Jones, "US Secure Hash Algorithm
+ 1 (SHA1)", RFC 3174, September 2001.
+
+Informative References
+
+ [RFC 3777] Galvin, J., "IAB and IESG Selection, Confirmation, and
+ Recall Process: Operation of the Nominating and Recall
+ Committees", BCP 10, RFC 3777, April 2004.
+
+ [RFC 2777] Eastlake, 3rd, D., "Publicly Verifiable Nomcom Random
+ Selection", RFC 2777, February 2000.
+
+ [RFC 3490] Falstrom, P., Hoffman, P. and A. Costello,
+ "Internationalizing Domain Names in Applications (IDNA)",
+ RFC 3490, March 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake 3rd Informational [Page 17]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+Author's Address
+
+ Donald E. Eastlake, 3rd
+ Motorola Laboratories
+ 155 Beaver Street
+ Milford, MA 01757 USA
+
+ Phone: +1-508-786-7554(w)
+ +1-508-634-2066(h)
+ EMail: Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake 3rd Informational [Page 18]
+
+RFC 3797 Verifiable Random Selection June 2004
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+Eastlake 3rd Informational [Page 19]
+